It’s easy enough to install Wireshark and begin capturing packets off the wire—or from the air. But how do you interpret those packets once you’ve captured them? And how can those packets help you to better understand what’s going on under the hood of your network? Practical Packet Analysis shows how to use Wireshark to capture and then analyze packets as you take an in- depth look at real-world packet analysis and network troubleshooting. The way the pros do it. Wireshark (derived from the Ethereal project), has become the world’s most popular network sniffing appli- cation. But while Wireshark comes with documentation, there’s not a whole lot of information to show you how to use it in real-world scenarios. Practical Packet Analysis shows you how to: • Use packet analysis to tackle common network problems, such as loss of connectivity, slow networks, malware infections, and more • Build customized capture and display filters • Tap into live network communication www.nostarch.com “ I L AY FLAT .” This book uses RepKover—a durable binding that won’t snap shut. Printed on recycled paper TH E F I N E S T I N G E E K E NT E RTAI N M E NT ™ SHELVE IN: NETWORKING/SECURITY $39.95 ($49.95 CDN) ® D O N ’ T J U S T S T A R E A T C A P T U R E D P A C K E T S . A N A L Y Z E T H E M . D O N ’ T J U S T S T A R E A T C A P T U R E D P A C K E T S . A N A L Y Z E T H E M . • Graph traffic patterns to visualize the data flowing across your network • Use advanced Wireshark features to understand confusing packets • Build statistics and reports to help you better explain technical network information to non-technical users Because net-centric computing requires a deep under- standing of network communication at the packet level, Practical Packet Analysis is a must have for any network technician, administrator, or engineer troubleshooting network problems of any kind. A B O U T T H E A U T H O R Chris Sanders is the network administrator for the Graves County Schools in Kentucky, where he manages more than 1,800 workstations, 20 servers, and a user base of nearly 5,000. His website, ChrisSanders.org, offers tutorials, guides, and technical commentary, including the very popular Packet School 101. He is also a staff writer for WindowsNetworking.com and WindowsDevCenter.com. He uses Wireshark for packet analysis almost daily. T E C H NI C A L R E V I E W B Y G E R A L D C O M B S, C R E A T O R O F W I R E S H A R K T E C H N I C A L R E V I E W B Y G E R A L D C O M B S , C R E A T O R O F W I R E S H A R K Download the capture files used in this book from www.nostarch.com/packet.htm PR AC T IC A L PACKE T A N A LYSIS PR AC T IC A L PACKE T A N A LYSIS U S I N G W I R E S H A R K T O S O L V E R E A L - W O R L D N E T W O R K P R O B L E M S C H R I S S A N D E R S ® P R A C T I C A L PAC K E T A N A LY S I S P R A C T I C A L PAC K E T A N A LY S I S S A N D E R S PRACTICAL PACKET ANALYSIS PRACTICAL PACKET ANALYSIS Using Wireshark to Solve Real-World Network Problems by Chris Sanders San Francisco ® PRACTICAL PACKET ANALYSIS. Copyright © 2007 by Chris Sanders. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. 11 10 09 08 07 1 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-149-2 ISBN-13: 978-1-59327-149-7 Publisher: William Pollock Production Editor: Christina Samuell Cover and Interior Design: Octopod Studios Developmental Editor: William Pollock Technical Reviewer: Gerald Combs Copyeditor: Megan Dunchak Compositor: Riley Hoffman Proofreader: Elizabeth Campbell Indexer: Nancy Guenther For information on book distributors or translations, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 555 De Haro Street, Suite 250, San Francisco, CA 94107 phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com Library of Congress Cataloging-in-Publication Data Sanders, Chris, 1986- Practical packet analysis : using Wireshark to solve real-world network problems / Chris Sanders. p. cm. ISBN-13: 978-1-59327-149-7 ISBN-10: 1-59327-149-2 1. Computer network protocols. 2. Packet switching (Data transmission) I. Title. TK5105.55.S265 2007 004.6'6 dc22 2007013453 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. Printed on recycled paper in the United States of America This book is dedicated to my parents, who bought the first computer I ever programmed. BRIEF CONTENTS Acknowledgments xv Introduction xvii Chapter 1: Packet Analysis and Network Basics 1 Chapter 2: Tapping into the Wire 15 Chapter 3: Introduction to Wireshark 27 Chapter 4: Working with Captured Packets 39 Chapter 5: Advanced Wireshark Features 51 Chapter 6: Common Protocols 61 Chapter 7: Basic Case Scenarios 77 Chapter 8: Fighting a Slow Network 99 Chapter 9: Security-based Analysis 121 Chapter 10: Sniffing into Thin Air 135 Chapter 11: Further Reading 151 Afterword 154 Index 155 [...]... 10 9 Tapping into the Wire 10 9 Analysis 11 0 Summary 11 1 A Torrential Downfall 11 1 What We Know 11 1 Tapping into the Wire 11 1 Analysis 11 2 Summary 11 3 POP Goes the Email Server 11 4 What We Know 11 4 Tapping into the Wire 11 4 Analysis 11 4 Summary 11 5 Here’s Something... 11 5 What We Know 11 6 Tapping into the Wire 11 6 Analysis 11 6 Summary 11 9 Final Thoughts 11 9 xii C on te nt s i n De ta il 9 S E CU R I T Y - B A S E D AN A L Y SI S 12 1 OS Fingerprinting 12 1 A Simple Port Scan 12 2 The Flooded Printer 12 3 What We Know 12 3 Tapping into the Wire 12 3 Analysis. .. 12 3 Summary 12 4 An FTP Break-In 12 4 What We Know 12 5 Tapping into the Wire 12 5 Analysis 12 5 Summary 12 7 Blaster Worm 12 7 What We Know 12 7 Tapping into the Wire 12 7 Analysis 12 7 Summary 12 8 Covert Information 12 9 What We Know 12 9 Tapping into the... 99 Anatomy of a Slow Download 10 0 A Slow Route 10 4 What We Know 10 4 Tapping into the Wire 10 4 Analysis 10 5 Summary 10 6 Double Vision 10 7 What We Know 10 7 Tapping into the Wire 10 7 Analysis 10 7 Summary 10 9 Did That Server Flash Me? 10 9 What We Know 10 9 Tapping... the Wire 12 9 Analysis 12 9 Summary 13 0 A Hacker’s Point of View 13 0 What We Know 13 0 Tapping into the Wire 13 1 Analysis 13 1 Summary 13 3 10 S N IF F IN G I NT O T HI N A I R 13 5 Sniffing One Channel at a Time 13 5 Wireless Signal Interference 13 6 Wireless Card Modes 13 6 Sniffing Wirelessly... 13 8 Configuring AirPcap 13 8 Capturing Traffic with AirPcap 14 0 Sniffing Wirelessly in Linux 14 1 802 .11 Packet Extras 14 2 802 .11 Flags 14 3 The Beacon Frame 14 3 Wireless-Specific Columns 14 4 Wireless-Specific Filters 14 5 Filtering Traffic for a Specific BSS Id 14 6 Filtering Specific Wireless Packet Types... Filtering Specific Wireless Packet Types 14 6 Filtering Specific Data Types 14 6 C o nt en t s in D et ai l xiii A Bad Connection Attempt 14 8 What We Know 14 8 Tapping into the Wire Air 14 8 Analysis 14 8 Summary 15 0 Final Thoughts 15 0 11 FURTHER READING 15 1 A FT E R W O R D 15 4 I ND E X 15 5 xiv C on te nt s i n De ta il ACKNOWLEDGMENTS... interest evolved into a passion through high school and college, and as that passion grew, so did my abilities, naturally leading me to situations in which I really needed to dig further into network and computer problems This is when I stumbled upon the Wireshark project (it was called Ethereal at the time) This software allowed me to enter a completely new world Being able to analyze problems in new... 16 Sniffing in a Switched Environment 18 Port Mirroring 18 Hubbing Out 19 ARP Cache Poisoning 20 Using Cain & Abel 21 Sniffing in a Routed Environment 24 Network Maps 25 3 I NT R O D U C T I O N T O W I R E S H AR K 27 A Brief History of Wireshark 27 The Benefits of Wireshark 28 Supported Protocols... 3 Analysis 3 How Computers Communicate 4 Networking Protocols 4 The Seven-Layer OSI Model 4 Protocol Interaction 6 Data Encapsulation 7 The Protocol Data Unit 8 Network Hardware 8 Traffic Classifications 12 2 T A P PI N G IN T O T H E W I R E 15 Living Promiscuously 16 Sniffing Around . We Know 10 9 Tapping into the Wire 10 9 Analysis 11 0 Summary 11 1 A Torrential Downfall 11 1 What We Know 11 1 Tapping into the Wire 11 1 Analysis 11 2 Summary 11 3 POP Goes the Email Server 11 4 What. 11 4 What We Know 11 4 Tapping into the Wire 11 4 Analysis 11 4 Summary 11 5 Here’s Something Gnu 11 5 What We Know 11 6 Tapping into the Wire 11 6 Analysis 11 6 Summary 11 9 Final Thoughts 11 9 Contents in. S S A N D E R S PRACTICAL PACKET ANALYSIS PRACTICAL PACKET ANALYSIS Using Wireshark to Solve Real- World Network Problems by Chris Sanders San Francisco ® PRACTICAL PACKET ANALYSIS. Copyright